Check that the length of the received message is at least as big as a PDU
before we use pdu->len. Submitted by: Iain Hibbert MFC after: 3 days
This commit is contained in:
parent
21ab16bd5b
commit
6bfc799ccf
|
@ -432,7 +432,8 @@ server_process_request(server_p srv, int32_t fd)
|
|||
return (-1);
|
||||
}
|
||||
|
||||
if (sizeof(*pdu) + (pdu->len = ntohs(pdu->len)) == len) {
|
||||
if (len >= sizeof(*pdu) &&
|
||||
sizeof(*pdu) + (pdu->len = ntohs(pdu->len)) == len) {
|
||||
switch (pdu->pid) {
|
||||
case SDP_PDU_SERVICE_SEARCH_REQUEST:
|
||||
error = server_prepare_service_search_response(srv, fd);
|
||||
|
|
Loading…
Reference in New Issue